Full Disclosure mailing list archives
RE: IE Web Browser: "Sitting Duck"
From: "joe" <mvp () joeware net>
Date: Wed, 7 Jul 2004 00:58:08 -0400
It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. Do programs written for the explorer shell use explorer shell components. Yes. This, as you mention is the nature of DLLs and the idea that you don't have to write everything from scratch. It is why this stuff gets stuffed into DLLs instead of into big EXEs. Every modern OS has the concept of shared modules like that. This is so you don't have to write your own object pickers and other things so they A. Look consistent B. Reduce dev time - RAD solutions. People have been replacing shells for ages on Windows. It has never been what you would consider mainstream though because most Windows users are not deep techno weenies like is enjoyed by some of the other Oses that currently have some small measure of favor in techno weenie world now. When Windows was first growing up, most of us weenies were over on real Unix or on Mini's swapping RTS's around or even on full Mainframe's begging for more cycles for trek or hunt the wumpus. Once it started getting used seriously by companies us Weenies were like, ick, Windows, no way, that VB blows... Who uses BASIC? No one!! You should cry out. Well unless you were on the Digital Equipment Systems that had huge chunks of the system written in BASIC-PLUS or BP-2. Of course on DEC, BASIC-PLUS is fine, it has the PLUS in it and after BP you pretty much had Macro Assembler as the serious language with some crazy university people talking about that language with the stupid name... I think it was called c. If you were actually planning on turning in an assignment in the next 6 months, you probably didn't choose to do it in MASM. Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. The people really using Windows were non-weenies and didn't care that you could change the shell, they didn't want it changed as excel and word and most importantly solitaire worked just fine with the way it was. So Windows never gained the popularity as a weenie OS even though one of the biggest Weenies was responsible for it. But then, he was in it for money and the idea he was changing the world. And he got both. Anyway, I wouldn't doubt it if half or better of the people ragging on Windows on this list have any idea that you can replace the shell. They might know you can use different shells in *nix - note I say they *might* because the *nixs are picking up a lot of the people who were previously clueless in Windows and they aren't learning much going to *nix. They just think it is better and more secure because they know even less about it than they did about Windows. They aren't true weenies, just people who think they know enough to be weenies. Being a techno weenie is a "cool" thing now. I don't know when that happened but it seems to have occurred. The people who do change shells regularly on Windows though seem to have a blast doing it. Actually I recall when the explorer shell first came out and people had fits over it, they had to publish this... http://support.microsoft.com/?kbid=142255. It is why progman is STILL around in XP (note it is gone in Windows Server 2003 - there progman maps to explorer though I would expect you could copy progman from XP or 2K or probably even NT4 and it would work on K3). Actually, I just tried this. I keep a VM that uses CMD as the default shell around for testing things and I copied progman from XP over to it and it worked fine. I believe there may actually be one or two open source (or possibly they were simply free bin) projects out there still to create the perfect Windows Shell, at least there were a couple of years back when I last went and looked. Those shells can, if they want, leverage the DLLs that Microsoft provided for the explorer shell or create lots of new stuff and use that. The earliest replacements were usually to lock machines down to kiosk mode for someone's custom P.O.S. apps. Many evil admins used to do it to jr admins (a majority of the Windows Admins) by slapping down cmd.exe as the shell (as mentioned above) so they get a big black screen with a blinking cursor and that is it unless they know how to call something else up. Heck I would expect you could make a shell if you wanted that was completely based on firefox or thunderbird if email/news was your thing. Not sure how useful that would be but I am pretty confident you could do it if you wanted to put the time into it. Does the UI need work? You will get no argument from me. Does IE need work? Again you will get no argument from me. Does the fact that the UI and IE need rework mean that Windows needs a redesign? Absolutely not. That whole conversation was about why Windows needed a core level redesign. The UI and IE do not come into play with that conversation. I am not saying IE doesn't suck, I am saying in the context of that converation, it was a moot point. Period. Anyway, even if you replace the shell, you still have the SCuM crunching away, the event log system still crunching away, the process system, etc etc etc - the base components can't be turned off and something else used. As for the IE not being a simple executable statement... Come on, there isn't much in Windows that is a simple EXE. Everything is importing from one or another DLL or else it would be worthless. Even the simplest command line tools I write will tend to have at least 3-5 DLLs tied in. Go get Thunderbird and load it on an XP machine. Go get process explorer from sysinternals or tlist from MS or tasklist from MS. Look at the DLLs and functions being called. In Sysinternals it is really obvious, Thunderbird calls more MS DLLs than anything else. With TLIST it isn't quite as easy to see but someone used to really looking at Windows can pick out the Windows DLLs over the others.... Of course there are more because the functionality of Thunderbird is very limited compared to the functionality of Windows (Hint one is an OS, one is an email/news client), it pulls from several different DLLs as it is using lots of different functionality of Windows which is spread over more DLLs than the Thunderbird specific DLLs need to be spread. 0x00400000 thunderbird.exe 0x01460000 FULLSOFT.DLL 0x02070000 profile.dll 0x10000000 qfaservices.dll 0x60020000 jar50.dll 0x60090000 js3250.dll 0x60120000 NSLDAP32V50.dll 0x60150000 NSLDAPPR32V50.dll 0x60160000 nspr4.dll 0x601f0000 nssckbi.dll 0x60220000 plc4.dll 0x60230000 plds4.dll 0x60250000 smime3.dll 0x60270000 softokn3.dll 0x602f0000 xpcom.dll 0x60350000 xpcom_compat.dll 0x61210000 POINT32.dll 0x61220000 MSH_ZWF.dll 3.2.0.0 shp 0x60190000 nss3.dll 3.2.0.0 shp 0x602d0000 ssl3.dll 5.1.2600.0 shp 0x71a50000 mswsock.dll 5.1.2600.0 shp 0x71a90000 wshtcpip.dll 5.1.2600.0 shp 0x71aa0000 WS2HELP.dll 5.1.2600.0 shp 0x71ad0000 WSOCK32.dll 5.1.2600.0 shp 0x76fb0000 winrnr.dll 5.1.2600.0 shp 0x76fc0000 rasadhlp.dll 5.1.2600.0 shp 0x77c00000 VERSION.dll 3.50.5016.0 shp 0x77120000 OLEAUT32.dll 5.1.2600.1106 shp 0x73000000 WINSPOOL.DRV 5.1.2600.1106 shp 0x746f0000 msimtf.dll 5.1.2600.1106 shp 0x74720000 MSCTF.dll 5.1.2600.1106 shp 0x76380000 msimg32.dll 5.1.2600.1106 shp 0x76670000 SETUPAPI.dll 5.1.2600.1106 shp 0x76f20000 DNSAPI.dll 5.1.2600.1106 shp 0x76f60000 WLDAP32.dll 5.1.2600.1106 shp 0x77dd0000 ADVAPI32.dll 5.1.2600.1106 shp 0x77e60000 kernel32.dll 5.1.2600.1217 shp 0x77f50000 ntdll.dll 5.1.2600.1240 shp 0x71ab0000 WS2_32.dll 5.1.2600.1255 shp 0x77d40000 USER32.dll 5.1.2600.1346 shp 0x7e090000 GDI32.dll 5.1.2600.1361 shp 0x78000000 RPCRT4.dll 5.1.2600.1362 shp 0x771b0000 ole32.dll 6.0.2800.1106 shp 0x5ad70000 uxtheme.dll 6.0.2800.1106 shp 0x763b0000 comdlg32.dll 6.0.2800.1233 shp 0x773d0000 SHELL32.dll 6.0.2800.1400 shp 0x1a400000 urlmon.dll 6.0.2800.1400 shp 0x70a70000 SHLWAPI.dll 7.0.2600.1106 shp 0x77c10000 msvcrt.dll 2001.12.4414.42 sh 0x77050000 COMRes.dll 2001.12.4414.53 sh 0x7c890000 CLBCATQ.DLL 5.82.2800.1106 shp 0x71950000 COMCTL32.dll To contrast, here is a simple little command line tool I recently wrote for doing LDAP mods and such... 1.0.0.50 shp 0x00400000 AdMod.exe 5.1.2600.1217 shp 0x77f50000 ntdll.dll 5.1.2600.1106 shp 0x77e60000 kernel32.dll 5.1.2600.1106 shp 0x76f60000 WLDAP32.DLL 7.0.2600.1106 shp 0x77c10000 msvcrt.dll 5.1.2600.1106 shp 0x77dd0000 ADVAPI32.dll 5.1.2600.1361 shp 0x78000000 RPCRT4.dll 5.1.2600.1255 shp 0x77d40000 USER32.DLL 5.1.2600.1346 shp 0x7e090000 GDI32.dll If the UI is designed to be heavily influenced by and using lots of internet components and web browsing is the model you use, of course the functionality should be stripped out of the browser EXE itself and placed into DLLs that other processes can leverage, only makes sense, standard coding practices for systems. This again gets you consistency and easier/quicker development. I personally don't like the MMC idea, I don't like the web browsing as the whole user experience idea, etc. However, because I don't like it doesn't mean I see Windows as useless or needing a complete redesign. Certain pieces certainly need help though. It would be kind of cool if that is the way it is going to be they allow others to follow a specific set of guidelines in such a way that you could plug a different set of DLLs in as replacements so you could say use another browsers functionality. But then people would complain because their favorite browser couldn't be used because the people writing the browser didn't want to produce the proper exports and blackbox guidelines in the DLLs and go about blaming MS for that. On the nice side though, MS does allow you methods in which to write your own stuff to get around it. Don't like the MMC, write your own interface, I have written many. Don't like the browser, write or download another. Don't like the shell write or download another. This is probably a bit jumpy, I wrote this over the course of the whole day and my mind was on about 1500 different things. I apologize if it is jumpy, but I am not rewriting it irregardless of how jumpy it is. :o) joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Barry Fitzgerald Sent: Tuesday, July 06, 2004 10:28 AM To: joe Cc: FULL-DISCLOSURE () lists netsys com Subject: Re: [Full-disclosure] IE Web Browser: "Sitting Duck" joe wrote:
Couple of things. 1. The conversation you are referring to was a conversation about issues with core base components that necessitated a complete redesign. You kept bringing up items that were NOT core base components - they were UI components. IE being one of them. The very fact that you have a choice to use a different browser should help you understand that. Try to use a different ACL system on Windows NT based systems and tell me how
that goes.
The choice to use a different browser doesn't imply that IE isn't a core base component at all. Is it a part of the kernel? No... Is it completely unremovable? Of course not... Is it a part of the standard Windows UI? Yes... Is it impossible to remove easily and difficult to remove cleanly? Yes... Will removing it make many programs operate incorrectly? Yes... I think you see where I'm going with this. It's a core component in MS Windows, though it may not be a part of the OS kernel, it is, nonetheless, undebatably, a core component of MS Windows as a software. Keep in mind, IE is more than just a simple executable. The DLLs that it uses are built to be used by other portions of the system and are extensively used. Of course, this is the nature of DLLs. -Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: IE Web Browser: "Sitting Duck" joe (Jul 03)
- Re: IE Web Browser: "Sitting Duck" Barry Fitzgerald (Jul 06)
- Re: IE Web Browser: "Sitting Duck" Frank Knobbe (Jul 06)
- Re: IE Web Browser: "Sitting Duck" Barry Fitzgerald (Jul 06)
- Re: IE Web Browser: "Sitting Duck" Frank Knobbe (Jul 06)
- Re: IE Web Browser: 'Sitting Duck' Eric Paynter (Jul 06)
- Re: IE Web Browser: "Sitting Duck" Frank Knobbe (Jul 06)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 06)
- RE: IE Web Browser: "Sitting Duck" Dave Horsfall (Jul 06)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 07)
- RE: IE Web Browser: "Sitting Duck" Bruce Ediger (Jul 07)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 07)
- RE: IE Web Browser: "Sitting Duck" Todd Burroughs (Jul 08)
- Re: IE Web Browser: "Sitting Duck" Barry Fitzgerald (Jul 06)
- Re: IE Web Browser: "Sitting Duck" Barry Fitzgerald (Jul 07)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 07)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 07)
- <Possible follow-ups>
- Re: IE Web Browser: "Sitting Duck" bills.bitch (Jul 04)
- RE: IE Web Browser: "Sitting Duck" joe (Jul 04)